PC Help And Information Easy Maintenance And Free Software
HomePortalFAQSearchRegisterLog in

Share | 

 Attacks On Lush Website Expose Credit-Card Details

Go down 


Number of posts : 2447
Home : At Home
Humor : If Im Not Back Later... Wait Longer
Registration date : 2007-07-30

PostSubject: Attacks On Lush Website Expose Credit-Card Details   Sat Jan 22, 2011 11:03 am

Quote :
Lush did not release technical details of the attack, nor specify the number of customers compromised or the security techniques used to handle the data involved, but anecdotal evidence indicates that some customers have been the victims of fraud.

The company sent an email statement to customers on Thursday outlining the incident and urging them to contact their banks.

"Our website has been the victim of hackers," Lush said in the email. "Twenty-four-hour security monitoring has shown us that we are still being targeted, and there are continuing attempts to re-enter. We refuse to put our customers at risk of another entry — so have decided to completely retire this version of our website."

Lush said it is preparing another version of its UK website to replace the one it has taken offline. The new version will launch within a few days and will initially only accept payments via PayPal, it added.

The incident affected customers who placed online orders between 4 October, 2010 and 20 January, 2011, according to Lush. Orders placed in Lush's shops or via telephone are not affected.

Some security experts have questioned Lush's timing in notifying customers of the breach. The company has acknowledged that it discovered the issue in late December, yet affected transactions include ones placed in January.

In a statement, the cosmetics company said that it had responded to the breach by starting a "thorough investigation" and putting in place "extra security measures". However, it was only when security monitoring showed the latest hacking attempt that Lush took down its UK website and notified customers, according to the statement.

Lush added that it is working with the police and its credit-card acquirer to carry out a full investigation into the hacking.

The company's response raises more questions than it answers, according to security researcher Graham Cluley of Sophos.

"Was the customer credit-card information not encrypted?" he wrote in a blog post on Friday. "If it had been strongly encrypted, then although a hack might have been embarrassing, customers would not necessarily be at risk of fraud."
Writing on Lush's Facebook page, several customers confirmed their details had been abused.

"My card details were used fraudulently, and I had the hassle of needing a new card and no access to my money," wrote a user identifying herself as Jane Sendall on Friday. "It would have been nice to have been warned earlier."

Another user, identifying herself as Kerry Aldam, wrote on Friday that a purchase in October had resulted in an incident of fraud within "the last few days".

On its temporary UK website, Lush posted a video of toy lemmings playing music, alongside a note urging users to "click on the video to try and share a smile". The temporary site also addressed a message to those responsible for the attack.

"To the hacker: If you are reading this, our web team would like to say that your talents are formidable," the note read. "We would like to offer you a job — were it not for the fact that your morals are clearly not compatible with ours or our customers."
The Full Story Is Here

Back to top Go down
Attacks On Lush Website Expose Credit-Card Details
Back to top 
Page 1 of 1
 Similar topics
» If you have Netflix watch your credit card/bank account
» Thanks everyone! I won the gift card to Tea Collection!
» Strack & Van Til Gift Card Giveaway *illinois and Indiana only*
» FREE $100 Gas Card *Illinois only*
» Jim Glover Chevrolet $500 dollar gas card

Permissions in this forum:You cannot reply to topics in this forum
MaxTech ::  General :: News & Information Centre-
Jump to: